如何使 Spring Security 和 cas 与指向同一服务器的多个 url 一起工作

【问题标题】:How to make Spring Security and cas work with Multiples urls pointing to the same server如何使 Spring Security 和 cas 与指向同一服务器的多个 url 一起工作
【发布时间】:2016-04-18 19:50:08
【问题描述】:

我的工作面临一个非常棘手的情况。用户可以使用 2 个不同的 url 访问我们的网站:

http://mycorporation.com/myapp/http://portal.mycorporation.com/myapp/

我面临的问题是 spring security 和 cas 配置似乎只适用于硬编码的单个 url:

<bean id="serviceProperties"
        class="org.springframework.security.cas.ServiceProperties">
        <property name="service" value="http://${myapp.hostname}/${myapp.appname}/j_spring_cas_security_check"/>
        <property name="sendRenew" value="false"/>
        <property name="setAuthenticateAllArtifacts" value= "true"/>
    </bean>

所以我的问题是,有什么方法可以检测运行时使用的 url? 在我的研究过程中,我遇到了这个answer,但他似乎检索到当前网址的部分我无法正确处理,因为我不使用 HATEOAS。

如果需要,我可以提供任何其他信息。另外,请原谅我的英语。我不是本地人。

这是整个 spring 安全配置:

<security:global-method-security secured-annotations="enabled" />

    <security:http auto-config="true" use-expressions="true" entry-point-ref="casEntryPoint">
        <security:intercept-url pattern="/" access="permitAll" />
        <security:intercept-url pattern="/protected/**" access="isAuthenticated()" />
        <security:custom-filter position="CAS_FILTER" ref="casFilter"/>
        <security:custom-filter ref="ajaxTimeoutRedirectFilter" after="EXCEPTION_TRANSLATION_FILTER"/>
        <security:custom-filter ref="requestSingleLogoutFilter" before="LOGOUT_FILTER"/>
        <security:custom-filter ref="singleLogoutFilter" before="CAS_FILTER"/>
    </security:http>

    <!-- Carrega configuracoes do Ambiente em Execucao -->          
    <context:property-placeholder location="classpath:environment.properties"/>

    <!-- Definicao da aplicacao, cuja autenticacao sera gerenciada pelo CAS -->
    <bean id="serviceProperties"
        class="org.springframework.security.cas.ServiceProperties">
        <property name="service" value="http://${example.hostname}/${example.appname}/j_spring_cas_security_check"/>
        <property name="sendRenew" value="false"/>
    </bean>

    <!-- Definicao da filtro das requisições ajax para verificar se a sessão expirou -->
    <bean id="ajaxTimeoutRedirectFilter" class="com.example.util.AjaxTimeoutRedirectFilter">
        <property name="customSessionExpiredErrorCode" value="901"/>
    </bean>

    <!-- Filtro de Autenticacao utilizado pelo CAS -->
    <bean id="casFilter"
        class="org.springframework.security.cas.web.CasAuthenticationFilter">
        <property name="authenticationManager" ref="authenticationManager"/>
    </bean>

    <!-- Ponto de entrada do CAS - Pagina de Login -->
    <bean id="casEntryPoint"
        class="org.springframework.security.cas.web.CasAuthenticationEntryPoint">
        <property name="loginUrl" value="https://login.example.com/cas/login"/>
        <property name="serviceProperties" ref="serviceProperties"/>
    </bean>

    <!-- Definicao do Gerenciador de Autenticacao -->
    <security:authentication-manager alias="authenticationManager">
        <security:authentication-provider ref="casAuthenticationProvider" />
    </security:authentication-manager>

    <!-- Configuracao da Autenticacao realizada pelo CAS -->
    <bean id="casAuthenticationProvider"
        class="org.springframework.security.cas.authentication.CasAuthenticationProvider">
        <property name="authenticationUserDetailsService">
        <bean class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper">             
            <constructor-arg ref="userService" />
        </bean>
        </property>
        <property name="serviceProperties" ref="serviceProperties" />
        <property name="ticketValidator">
            <bean class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator">
                <constructor-arg index="0" value="https://login.example.mp.br/cas" />
            </bean>
        </property>
        <property name="key" value="an_id_for_this_auth_provider_only"/>
    </bean>

    <!-- Retorna o usuario do LDAP a partir do login e senha passado ao CAS -->
    <bean id="CustomLDAPUserContextMapper" class="com.example.util.CustomLDAPUserContextMapper"></bean>
    <security:ldap-server url="ldap://11.111.1.111:389/o=example"/>
    <security:ldap-user-service id="userService"
        user-search-filter="(&amp; (objectclass=person) (mail={0}) )" 
        group-search-filter="(uniqueMember={0})"
        user-context-mapper-ref="CustomLDAPUserContextMapper"
        />

    <!-- Este filtro lanca um requisicao de Single Sign-out a partir do servidor CAS -->
    <bean id="singleLogoutFilter" class="org.jasig.cas.client.session.SingleSignOutFilter"/>

    <!-- Este filtro redireciona para o servidor CAS para que o Single Sign-out seja tratado -->
    <bean id="requestSingleLogoutFilter"
        class="org.springframework.security.web.authentication.logout.LogoutFilter">
        <constructor-arg value="https://example.com/cas/logout"/>
        <constructor-arg>
            <bean class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler"/>
        </constructor-arg>
        <property name="filterProcessesUrl" value="/j_spring_cas_security_logout"/>
    </bean>

【问题讨论】:

  • 显示您当前的安全配置

标签: java url dynamic spring-security cas


【解决方案1】:

CasAuthenticationEntryPoint(casEntryPoint bean)有一个 createServiceUrl() 方法。
您可以覆盖它以选择正确的服务(通过使用适当的参数调用 CommonUtils.constructServiceUrl())。

【讨论】:

    猜你喜欢
    • 2017-01-20
    • 2017-01-20
    • 1970-01-01
    • 1970-01-01
    • 2014-11-30
    • 2015-04-11
    • 2019-05-27
    • 2015-12-08
    • 2012-05-19
    相关资源
    最近更新 更多
    热门标签
    Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode